Major UK Pubs Ignore GDPR With Contact Tracing

July 31, 2020 - Published by

Recently, a new law in the UK was introduced which mandated that at least one person per party must give their name and contact phone number to pubs and restaurants they visit.

It has been brought to my attention that major UK pubs including Wetherspoons have turned to the services of data marketing companies to collect this sensitive customer data in a highly nontransparent manner, the details of which I am going to share here.

This post is from July 31st 2020, and as of the time of publishing, these systems are still implemented.

Wetherspoons Contact Tracing Gives Customer Data To Data Marketing Company & Partners

Let’s take Wetherspoons for an example, as they are a large and influential pub chain in the UK.

Recently, they started posting the following signs in their pubs:

Now looking at this sign, it appears to be operated by the NHS (or at least in partnership with) and possibly Wetherspoons – the reality, is unfortunately very different.

If you scan this QR code, you get taken to the following site: trck.to

Along with having to run proprietary JavaScript (that could be exploiting personal data), you are here prompted to give your name, number, how long you plan on staying, and at the bottom you are told the data is only shared with the NHS, and destroyed after 21 days. It also cites Wetherspoon’s Privacy Policy.

HOWEVER…

If you click on ‘About this service’, you are taken to the website of Airship, a data marketing company focusing on hospitality.

Airship makes no secret of the fact that their primary goal is to gather highly detailed and invasive information about customers in order to track them in ways the average customer is probably not aware is happening, and would be hidden in a lengthy ToS/Privacy Policy somewhere.

They, in fact, offer this service to many large chains including Cafe Nero, Pret and LEON.

According to their website:

THEY store the data FOR these companies, and these companies can access it through a panel – surely this means the privacy policy of Airship should be referenced on this trck.to ‘service’ also, or instead of?

It gets much worse…

Now that we’ve established Airship actually collects and stores this data on behalf of these major chains, we must take a closer look at who they work with.

Currently, there are 15 companies on this list, most of which are data science/marketing/sales companies.

On their website, there is a page called ‘Professionals’ which talks about and links to all of the companies they share the data they collect with.

These companies include: (about company quotes are taken directly from the Airship: Professionals page)

    • Small Fry – “Meet Small Fry: a digital studio in London that specialises in Fun Stuff On The Internet™. Using their previous experience as in-house creatives and strategists, the Small Fry team works with some of the UK’s leading food + beverage challenger brands…”
    • Weave Marketing – “A boutique marketing agency with strategy, creativity and practicality at the heart of what we do. As ex-client side marketeers for some of the best known brands in the UK, we genuinely understand the intricacies of working with tight budgets…”
    • Data Hawks – “Your business is brimming with data, from a dizzying range of sources. DataHawks joins your data up, whether from payment, feedback, social or WIFI; analyses it to surface instant, easy-to-action opportunity; enriches it to give you unparalleled…”
    • KAM Media – “Understanding and influencing the customer journey is vital to any business and getting it even slightly wrong, can be catastrophic. KAM Media is a research consultancy, specialising in hospitality and retail. Our research and insights tools…”
    • The Advanced Sales Network – “The Advanced Sales Network (TASN) provides a range of sales solutions to businesses in the hospitality industry, designed to transform prebooked sales performance. TASN offers support at many levels: strategically advising and directing sales teams…”
    • Nineteen – “Nineteen are a hospitality marketing agency, we are passionate about creating strategic solutions that are memorable and above all add to the bottom line. For us hospitality marketing is all about relationships. Our approach starts…”
    • 2Forks – “If you want to squeeze more juice out of your written communications, you need to speak to 2Forks. Annica and Anna have specialised exclusively in food and drink copywriting since 2014, helping the likes of Dishoom, Wahaca and…”
    • Mandela Marketing – “Experienced hospitality marketer, working across multi-brands and multi-categories including industry giants such as Comptoir Libanais and The Restaurant Group, alongside start ups and independent food businesses…”
    • Brand Reveller – “We are a brand and marketing agency for premium brands, based in London. We specialise in brand strategy, exceptional creative, digital and social media marketing. We love working with clients and businesses with character…”

This is incredibly worrying, as many of these companies also make no secret of the fact that they profit from invasive data collection in ways probably not understood by the average consumer.

To quote directly from this page (as seen in the screenshot):

“But it’s all good, and they’re all good people.”

This honestly seems like some sort of joke – but it isn’t.

We cannot know for sure what is going on, and perhaps they do delete the data after 21 days and don’t share it like they claim to, but in my opinion the truth is likely more sinister. I believe this to be the case because of the huge lack of transparency from the poster and wrong privacy policy that’s cited, that has no mention of Airship storing the data in it.

TAKE ACTION!

We have to make clear that this is not acceptable. Please contact companies following these dodgy practices and tell them to change, and report potential GDPR violations to to the ICO. I am not a lawyer so I am unsure of the exact legality of this, but in my opinion there are very likely GDPR violations occurring here (if you know for sure please contact me).

Please share that this is happening, make sure people are aware. The more these issues are brought into the light, the less shady practices like these will be able to prosper.

Additional Information

It seems that something similar to this is happening in Australia, see here:

Australian QR codes used for COVID-19 contact tracing (found in pubs and restaurants) redirect to websites that will disclose your personal information to adv companies and bombard you with targeted ads. This is not OK

--------

Please contact me if you have any comments or questions about this post.

Categorised in:

This post was written by Karl Swanepoel